In Asia, a disturbing threat has emerged where malicious actors get victims’ facial data and create convincing deepfake videos to gain access to their bank accounts. This raises the question: How safe and effective is facial authentication?
“While biometrics have long been considered as a reliable authentication mechanism the increasing accessibility to deepfake technology has opened doors for cybercriminals to exploit it for their nefarious purposes,” warns Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 AFRICA.
In a shocking case of a banking trojan that steals people’s faces, fraudsters based in China have targeted older adults in Vietnam and Thailand to drain their bank accounts. These hackers disguise themselves as bank call centre agents and trick victims into sharing their identity documents and phone numbers. They then request facial scans from their victims, enabling them to carry out their fraudulent activities.
Collard explains that AI-generated deepfakes replace the images captured during the face scans. “These deepfakes are extremely realistic and can bypass certain security checkpoints.” One unfortunate victim, who downloaded a malicious app and was convinced to perform a face scan, lost more than R7.6 million ($40,000).
Should we be worried?
Using AI-generated deepfakes to bypass security checks shows a level of sophistication by these attackers and shows that criminals are embracing new and emerging technologies in their attacks.
Physical borders do not limit cybercriminals, and they will go wherever opportunities exist. “In South Africa, mobile banking and mobile adoption is pervasive. “This, coupled with a relatively low level of consumer awareness, makes our region an attractive target for these criminals. The real-world impact, technical sophistication and lack of known defences make this an emerging cybersecurity risk consumers should be aware of and prepared to address as it continues to develop.”
Are biometrics still safe?
The latest tactic has many IT experts questioning whether biometric identification is still safe to use. “Unlike passwords or other credentials that can be changed, biometric identifiers like fingerprints and facial features are permanent and cannot be replaced,” asserts Collard. “Also, criminals can use them repeatedly to impersonate victims and gain unauthorised access to their accounts, leading to banking fraud or a loss of their identity.”
Despite the cause for alarm, Collard does not believe it’s time for individuals or organisations to give up biometric authentication just yet. “Biometrics are usually more user-friendly than traditional passwords or patterns for locking phones and apps,” she comments. “This means they are more secure, as users are less likely to use weak or reused passwords. Also, biometric traits are unique and more difficult to steal compared to a password that could be guessed, phished, or hacked.
Increasing need for caution
However, Collard advises vigilance in the face of this growing threat. “Organisations should not abandon using biometrics authentication, but they need to keep pace with deepfake technology by implementing advanced liveness detection,” she says. Traditional liveness detection methods can be bypassed by advanced deepfake techniques that can inject fake imagery directly into the data stream. “Because of this, companies must implement more sophisticated liveness detection, such as 3D-facial scanning and challenge-response tests.”
Rather than relying on a single method of cybersecurity protection, Collard recommends a multifaceted strategy. “The best approach would be to use biometrics with other mechanisms, such as strong passwords or phishing-resistant, multi-factor authentication methods,” she said. “A layered approach always provides more protection than relying on one factor only because there is no such thing as a silver bullet in security.”